ASN.1Abstract Syntax Notation One. An ITU notation used to define the syntax of information data. It defines a number of simple data types and specifies a notation for identifying these types and for specifying values of these types. These notations can be used to define the abstract syntax of information independent of how the information is encoded for transmission.

Asymmetric EncryptionIn an asymmetric encryption system different keys are used for encrypting and decrypting a message or a document, which means that the communicating parties need not "share a secret". Instead, the asymmetric system uses a key pair, a public and a private key, which is applicable in processes that require a high level of security.

AuthenticationThe process of establishing that an entity - whether human or machine - is who or what they say they are.

C

CAAbbreviation of Certification Authority.

Certificate AuthoritySee Certification Authority below.

Certification Authority (CA)A Certification Authority (CA) is an enabling service that issues, manages and revokes certificates of users, service providers, applications and appliances. A certificate is signed by the CA, which guarantees the identity of the certificate owner.

CA ServerThe server component in a public key infrastructure which handles, stores and issues digital certificates.

CertificateA digital certificate is an electronic document which links a public key to a person or a company in a public key infrastructure enabling the user(s) to send encrypted and digitally signed electronic messages. The certificate identifies the user and is required to verify his digital signature. The certificate contains information about the identity and public key of the person/company as well as the certificate's expiry date. The certificate may also contain information about its usage.

CipherAn algorithm for performing encryption and decryption.

Cipher TextEncrypted information.

CRLCertificate Revocation List. A list of certificates that have been revoked by the Certification Authority. The CRL can be compared to a blacklist containing the certificates which are no longer valid.

CryptanalysisOr 'code breaking' is the study of methods for obtaining the meaning of encrypted information. It is also used to refer to any attempt to get around the security of other types of cryptographic algorithms and protocols in general.

CryptographyThe study of message secrecy.

CryptologyAn umbrella term for cryptography and cryptanalysis.

CryptosystemA suite of algorithms, typically three - one for key generation, one for encryption and one for decryption.

D

DecryptionThe process of converting an encrypted text back to a plain and meaningful text.

DERDistinguished Encoding Rules. A set of encoding rules which are part of ASN.1.

DESData Encryption Standard. An encryption block cipher developed in 1977 by IBM. It applies a 56-bit key to each 64-bit block of data. It provides strong encryption based on symmetric cryptography, i.e. both the sender and receiver must know the same secret key. This key is used for both encryption and decryption. DES is sometimes used with 3 keys known as "triple DES" or 3DES. The Data Encryption Standard was replaced in 2000 by the Advanced Encryption Standard (AES).

Digital CertificateSee 'Certificate'.

Digital SignatureA digital signature is the electronic equivalent of a person's handwritten signature to guarantee the identity of the sender of an electronic message. The use of a digital signature is as legally binding as a physical signature as it fulfills three vital security needs: authenticity, non-repudiation and integrity.

Digital Time StampA time code that can form part of a digital signature which proves the existence of the signed document or content at a given time.

DRMDigital Rights Management

DSADigital Signature Algorithm. A public key algorithm that is used as part of the Digital Signature Standard (DSS). DSA was developed by the U.S. National Security Agency to generate a digital signature for the authentication of electronic documents. It cannot be used for encryption, only for digital signatures. The algorithm produces a pair of large numbers that enable the authentication of the signatory, and consequently, the integrity of the data attached. DSA is used both in generating and verifying digital signatures.

DSSDigital Signature Standard. Recommended as a standard in 1994 by NIST and has become the United States government standard for authentication of electronic documents, specified in Federal Information Processing Standard (FIPS) 186. It uses the Digital Signature Algorithm (DSA) to create digital signatures for the authentication of electronic documents.

E

ECCElliptic Curve Cryptography. A technique that uses elliptic curves for cryptography. The advantage of using elliptic curves is that they are particularly well-suited for applications involving chip cards with limited computational power, for example, mobile communication.

ECDSAThe Elliptic Curve Digital Signature Algorithm (ECDSA) is the elliptic curve analogue of the DSA standard. The advantages of ECDSA compared to RSA-like schemes are shorter key lengths and faster signing and decryption. For example, a 160 (210) bit ECC key is expected to give the same security as a 1024 (2048) bit RSA key, and the advantage increases as the level of security is raised.

Elliptic CurveIn mathematics: an algebraic curve defined by an equation in the form y2 = x3 + ax + b.

EMVA standard for interoperation of chip cards for authenticating credit and debit card payments. The name comes from Europay, MasterCard and Visa - the three companies who cooperated to develop the standard.

I

IEEEThe Institute of Electrical and Electronics Engineers

ISOInternational Organization for Standardization

ITUThe International Telecommunication Union, formerly known as CCITT. The organization, which includes governments and the private sector, handles the coordination of telecommunication technology and is a leading publisher of standards and regulatory information.

J

K

KeyA key specifies the particular transformation of plain text into cipher text during encryption and vice-versa during decryption.

Key GenerationThe process of generating keys.

Key LengthEncryption systems are only as strong as the length of the encryption key and depend on which type of mathematical equation - i.e. algorithm - the system employs. A long key makes it more difficult to break the cryptosystem - but the longer the key, the more time it takes to encrypt and decrypt messages.

Key ManagementKey management includes all of the provisions made in a cryptosystem design, including cryptographic protocols, user procedures, etc, which are related to generation, exchange, storage, safeguarding, use, vetting, and replacement of keys.

L

LRALocal Registration Authority. The LRA is responsible for registering and managing the users' identities in a Public Key Infrastructure (PKI). Based on this information the CA issues the digital certificates.

M

MACMessage Authentication Code. MACs are used to validate information transmitted between two parties that share a secret key.

Man-in-the-MiddleAn attack in which an attacker is able to read, insert and modify at will, messages between two parties without either party knowing that the link between them has been compromised.

MD2A message-digest hash function optimized for 8-bit machines.

MD4A message-digest hash function that is several times faster than MD2 and optimized for 32-bit machines.

MD5A one-way message-digest hash function with a 128-bit hash value. The algorithm processes input text and creates a 128-bit message digest which is unique to the message and can be used to verify data integrity. MD5 was developed by Ron Rivest in 1991 to replace MD4.

MDCModification Detection Code. A hash function that produces a 128-bit output from block ciphers. IBM has named their hash functions: MDC-1, MDC-2 and MDC-4.

MIMEMultipurpose Internet Mail Extensions. A set of specifications for the interchange of text in languages with different character sets. MIME is also used to attach multimedia and rich text elements to e-mail that may be transmitted among different computer systems using Internet mail standards. The specifications define Content-Types and other conventions for the formatting of e-mail messages. S/MIME is a later standard that adds security to e-mail communication by allowing signing and encryption of messages.

N

NISTNational Institute of Standards and Technology, formerly known as the National Bureau of Standards. A unit of the US Commerce Department which promotes open standards and interoperability in computer-based industries.

O

One-time Password (OTP)A password that is used only once, often abbreviated to OTP. One-time passwords are used to make it more difficult to gain unauthorized access to, for example, an online bank account. Traditional static passwords have proved to be more easily accessible by an attacker, but by using a password that is altered constantly, as is done with a one-time password, this greatly reduces the risk of unauthorized access being gained. There are three types of one-time password:

the first uses a mathematical algorithm to generate a new password based on the previous password

the second is time-based - the authentication server and the client providing the password aresynchronized

the third is based on a challenge (e.g. a random number chosen by the authentication server or transaction details) and a counter instead of being based on the previous password.

P

PhishingAn attempt to fraudulently acquire sensitive information such as usernames and passwords via an email sent by the attacker appearing to come from the recipient's bank. It contains a link that leads the recipient to a convincing web page, at which point he is tricked into entering his details.

PharmingAn attack that re-directs traffic to a website to another bogus website.

PINPersonal Identification Number.

PKCSA set of Public Key Cryptography Standards devised by RSA Laboratories in 1991 which are widely used in public key cryptography systems.

R

RijndaelThe algorithm that was chosen by NIST to become the Advanced Encryption Standard (AES). It was developed by Vincent Rijmen and Joan Daemen. It has a block size of 128-bit and supports keys of at least 128 bits.

RIPEMD-160A 160-bit hash function that offers a higher degree of security than 128-bit hash functions such as MD4 and MD5.

RSAA public key cryptographic algorithm named after its inventors (Rivest, Shamir, and Adelman). It is used for encryption and digital signatures. RSA was developed in 1977 and is today the most commonly used encryption and authentication algorithm.

S

SDAStatic Data Authentication.

Session KeyA session key is a key used for encrypting one message or a group of messages in a communication session.

SHA Hash FunctionsThe SHA (Secure Hash Algorithm) hash functions refer to five FIPS approved algorithms denoted SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512, designed by the National Security Agency (NSA) and published by the NIST as a US government standard. The latter four variants are sometimes collectively referred to as SHA-2.

SHA-1 is employed in several widely used security applications and protocols, including TLS and SSL, PGP, SSH, S/MIME, and IPsec. It was considered to be the successor to MD5, an earlier, widely-used hash function.

The security of SHA-1 has been somewhat compromised, but the newer SHA-2 algorithms are not believed to be subject to the same vulnerabilities.

S/MIMEA standard that extends the MIME (Multipurpose Internet Mail Extensions) specifications to support the signing and encryption of e-mail transmitted across the Internet.

Symmetric EncryptionIn a symmetric encryption system, a message or a document is encrypted and decrypted with the same key. The message is encrypted with the sender's key and the recipient decrypts the message by use of the same key.

SSLSecure Sockets Layer. A technology used on the Internet to secure web pages and transactions by means of public key cryptography.

Stream CipherA stream cipher (also known as a state cipher) is a symmetric cipher in which the plaintext digits are encrypted one at a time, and in which the transformation of successive digits varies during the encryption. In practice, the digits are typically single bits or bytes.

T

Time StampA time stamp can refer to a time code or to a digitally signed timestamp whose signer vouches for the existence of the signed document or content at the time given as part of the digital signature. Time stamps are used, for example, on contracts or medical records.

Time Stamping AuthorityA trusted third party who issues a time stamp to prove the existence of certain data before a certain point in time without the possibility that the owner can backdate the timestamps.

TLSTransport Layer Security. A protocol intended to secure and authenticate communications across a public networks by using data encryption. TLS is designed as a successor to SSL and uses the same cryptographic methods but supports more cryptographic algorithms.

Two-factor AuthenticationA more secure means of authenticating a user based on something they know (static password) and something they have in their possession (one-time password).

TPMTrusted Platform Management.

Trojan HorseMalicious computer software that looks harmless to the user but contains a virus or spyware. Named after the Trojan Horse in Greek mythology.

V

Virtual Private Network (VPN)A virtual private network (VPN) is a private communications network often used by companies or organizations, to communicate confidentially over a public network (e.g. the Internet) on top of standard protocols, or over a service provider's private network with a defined Service Level Agreement (SLA) between the VPN customer and the VPN service provider. A VPN can send data (e.g., voice, data or video, or a combination of these media) across secured and encrypted private channels between two points.

X

X.500X.500 is a series of computer networking standards covering electronic directory services. The X.500 series was developed by the International Telecommunications Union (ITU). ISO was a partner in developing the standards, incorporating them into the Open Systems Interconnection suite of protocols. ISO/IEC 9594 is the corresponding ISO identification. The directory services were developed in order to support the requirements of X.400 electronic mail exchange and name lookup.

X.509Public key certificate standard. Used for secure management and distribution of digitally signed certificates across secure Internet networks.

X.509v3Version 3 of the X.509 certificate standard includes extended data structures for storing and retrieving information on certificate application, certificate distribution, certificate revocation, policies and digital signatures. X.509v3 maintains time-stamped CRLs for all certificates, making it possible for the application to check the validity of the certificate.